search

lbuchs / WebAuthn

A simple PHP WebAuthn (FIDO2/Passkey) server library
https://webauthn.lubu.ch
MIT License
419 stars 75 forks source link

Using for decryption #71

Closed WindowsNT closed 1 year ago

WindowsNT commented 1 year ago

It's a great library, I use it for biometric login. On create , I store the credential ID and the user's public key in the database

Now let's say I want to encrypt some data and then decrypt it with PHP. On encrypt, I can use openssl_seal, passing the public keys I get from the database (encrypt to more than one user perhaps).

Can I use the library to decrypt this data? Can this public/private pair be used for generic cryptography and not only for login?

Or, can I get a symmetric secret with the library to use it symmetrically, which will only returned to me when the user authenticates successfully?

Or, can I generate my own public/private keys with window.crypto.subtle and then protect the local storage of the private key with Webauthn?

Or, can you use largeBlob extension which as I can see can carry data?

lbuchs commented 1 year ago

Can I use the library to decrypt this data? Can this public/private pair be used for generic cryptography and not only for login?

No. To decrypt you'd need the private key used to generate the webauthn public key, but this key never leaves the authenticator.

Can I use the library to decrypt this data? Can this public/private pair be used for generic cryptography and not only for login?

No. the library is only for login.

Or, can I get a symmetric secret with the library to use it symmetrically, which will only returned to me when the user authenticates successfully?

No, hmac-secret is not implemented. It needs no be supported by the authenticator too, there is not a lot of compatible hardware. When you use 2FA and you have a user password, you could take the user password as a symmetrically key.

Or, can I generate my own public/private keys with window.crypto.subtle and then protect the local storage of the private key with Webauthn?

No. Webauthn cannot protect local storage.

Webauthn is build to protect a login against phishing attacks. It's architecture is build on the base that the host system of the application is secure. When you want to store encrypted user data on the host, the only safe way is to use the user password as a symmetric key. Store a key in a user local storage is not a good idea, as the user can easily delete it without indent, or when using on mobile, the device is deleting the local storage even automatically. The disadvantage of this is that if a user lost his password, his data is gone. A service with a architecture like this, is for example proton.

WindowsNT commented 1 year ago

Thanks a lot for your clarifications.